summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRaph Levien <raph@google.com>2015-12-08 11:36:58 -0800
committerandroid-build-merger <android-build-merger@google.com>2015-12-08 11:36:58 -0800
commit8921cfe226e9b7774810c9711579586b5b227b82 (patch)
tree4952f4146f9b7a155d714db59c75a50c248ef160
parentc65e6f1ee0b2f32183766726ac459188b1a37b35 (diff)
parent7aec64b9099d0b5bbbe766a2c29b9f09f0939a4c (diff)
downloadandroid_frameworks_minikin-8921cfe226e9b7774810c9711579586b5b227b82.tar.gz
android_frameworks_minikin-8921cfe226e9b7774810c9711579586b5b227b82.tar.bz2
android_frameworks_minikin-8921cfe226e9b7774810c9711579586b5b227b82.zip
Avoid integer overflows in parsing fonts am: 6299a6ba13 am: 998293f985 am: ffadd191a0 am: d56908571d
am: 7aec64b909 * commit '7aec64b9099d0b5bbbe766a2c29b9f09f0939a4c': Avoid integer overflows in parsing fonts
-rw-r--r--libs/minikin/CmapCoverage.cpp9
1 files changed, 6 insertions, 3 deletions
diff --git a/libs/minikin/CmapCoverage.cpp b/libs/minikin/CmapCoverage.cpp
index 7503372..6431000 100644
--- a/libs/minikin/CmapCoverage.cpp
+++ b/libs/minikin/CmapCoverage.cpp
@@ -29,11 +29,12 @@ namespace android {
// These could perhaps be optimized to use __builtin_bswap16 and friends.
static uint32_t readU16(const uint8_t* data, size_t offset) {
- return data[offset] << 8 | data[offset + 1];
+ return ((uint32_t)data[offset]) << 8 | ((uint32_t)data[offset + 1]);
}
static uint32_t readU32(const uint8_t* data, size_t offset) {
- return data[offset] << 24 | data[offset + 1] << 16 | data[offset + 2] << 8 | data[offset + 3];
+ return ((uint32_t)data[offset]) << 24 | ((uint32_t)data[offset + 1]) << 16 |
+ ((uint32_t)data[offset + 2]) << 8 | ((uint32_t)data[offset + 3]);
}
static void addRange(vector<uint32_t> &coverage, uint32_t start, uint32_t end) {
@@ -101,11 +102,13 @@ static bool getCoverageFormat12(vector<uint32_t>& coverage, const uint8_t* data,
const size_t kGroupSize = 12;
const size_t kStartCharCodeOffset = 0;
const size_t kEndCharCodeOffset = 4;
+ const size_t kMaxNGroups = 0xfffffff0 / kGroupSize; // protection against overflow
+ // For all values < kMaxNGroups, kFirstGroupOffset + nGroups * kGroupSize fits in 32 bits.
if (kFirstGroupOffset > size) {
return false;
}
uint32_t nGroups = readU32(data, kNGroupsOffset);
- if (kFirstGroupOffset + nGroups * kGroupSize > size) {
+ if (nGroups >= kMaxNGroups || kFirstGroupOffset + nGroups * kGroupSize > size) {
return false;
}
for (uint32_t i = 0; i < nGroups; i++) {